J 


N8 8-21494 

ORB ITER PROCESSING FACILITY SERVICE PLATFORM FAILURE AND REDESIGN 

Jesse L. Harris* 


THE MISHAP 

On March 8, 1985, in high bay 2 of the Orbiter Processing Facility (OPF) 
at the Kennedy Space Center, technicians were preparing the space shuttle 
orbiter Discovery for rollout to the Vehicle Assembly Building (VAB) . A 
service platform, ccnmonly referred to as an "OPF Bucket" was being retracted 
when it suddenly fell, striking a technician and impacting Discovery's pay- 
load bay door. A critical component in the OPF Bucket hoist system had 
failed, allowing the platform to fall. Hie incident was thoroughly investi- 
gated by both NASA and Lockheed Space Operations Co., revealing many design 
deficiencies within the system. This paper reviews the deficiencies and the 
design changes made to correct them. See Figures 1-14. 

THE MECHANISM 

The OPF Bucket system, Figures 1 & 2, consists of a pair of work 
platforms, telescoping tube assemblies , hoisting systems, and trolleys, both 
suspended frcm a cannon overhead bridge. Each orbiter payload bay may be 
accessed by two separate bridges, for a total of four Buckets per 
high bay. 

THE WORK PLATFORM is made of aluminum, with a work area of 1 x 3 meters. 
A technician located in the Bucket has a hand operated rotation device with 
which he may rotate the Bucket one to two full revolutions. Hie 
first production set of OPF Buckets uses a chain drive system that allows 
the Bucket to rotate two revolutions but requires locking the Bucket 
into position after rotation. A later set of OPF Buckets uses a worm gear 
drive device which is self locking but rotates only one revolution. At 
the time of the mishap the Buckets had a rated capacity of 225 kg and were 
connected to the hoisting system thru the rotation device. An electrical 
control station, Figure 3, is available in the Bucket which controls the 
direction (up/dcwn, east/west, and f orward/af t ) and speed (3 meters/min. and 
1 meter/min.) of the Bucket motion drives. 

HE TELESCOPING TUBE ASSEMBLY consists of four nested square steel 
tubes each 2.75 meters long allowing the Bucket to lcwer 6 meters into the 
orbiter payload bay. The telescoping tubes carry torsional loads preventing 
the Bucket frcm rotating in the horizontal plane and carry bending moments 
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preventing eccentric loads frcm tipping the Bucket in the vertical plane. 

The tubes do not provide vertical support. The smallest of the tubes is 250 
rrm square and connected at its bottom to the Bucket thru the rotation 
device, the upper end of the tube has a travel stop which engages 
intermediate tubes above it. The two intermediate tubes, one 300 mm and 
the other 350 rrm square, have bronze guides and travel stops which engage 
their adjacent tubes. The fixed upper tube is 400 rrm square and is directly 
connected to the trolley chassis. 

THE HOISTING SYSTEM, Figure 4 & 7, raises, lowers and provides vertical 
support for the Bucket and telescoping tubes. A two part reeved, dual wire 
rope hoist system using a commercial, off the shelf, wall mounted, 1350 kg 
capacity, AC electric hoist is used. 

At the heart of the system is the hoist which has full depth, 20 degree 
involute, modified tooth form, straight spur gears, machined integrally with 
or splined to their shafts. The modified tooth form allows high addendum, 
small pitch diameter pinions, with higher strength teeth, to be used with 
lew addendum gears more closely matching gear and pinion tooth strength and 
preventing undercutting of the pinion teeth. The hoist has an electrical 
solenoid operated drum type holding brake attached to its motor and an 
automatic Weston screw-and-disc type load brake mounted between the first 
and second gear reductions in the gearbox. Figure 5. The Weston load brake 
holds the load regardless of whether the power is on or off. When lowering 
the load the motor applies torque to the load brake causing the disc to 
unscrew and thus slip, allowing the load to lower. When raising, the motor 
causes the disc assembly to screw together, tightening the assembly. A 
ratchet pawl engages a ratchet on the disc preventing the load from 
backdriving when stationary. 

The hoist is mounted to the outside of the fixed 400 mm upper tube and 
has two 10 mm stainless steel wire ropes anchored to its drum. The 
wire ropes pass through an upper snatchblock attached to the top of the fixed 
tube and, at the time of the mishap, routed down thru the telescoping tubes 
to a lewer snatchblock attached to the Bucket rotation device. The rope is 
routed through the lower snatchblock terminating at the upper "end of the fixed 
tube. With the two part reeving the hoisting system has a rated lifting 
capacity of 2700 kg. 

THE TROLLEY provides support and east/west motion capability for the 
Bucket and telescoping tubes. It is a steel frame chassis with a 
carmercial, underhung, four wheel trolley unit at each comer of the 
frame. Two of the wheeled trolley units have electric drive motors and 
geared drive wheels. 

THE BRIDGE is a steel truss which supports two trolley/Bucket 
assemblies and provides the forward/aft motion capability of the system. 

The electric drive motor and gear box are centrally located on top of the 
truss, connected to drive shafts running to each end of the truss; chain 
drives connect the drive shafts to the drive wheels. Figure 6. The 
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bridge also has a control station that can control hoist, trolley and bridge 
drives for each bucket. 

THE CAUSE OF THE MISHAP 


The direct cause of the mishap was a failure of a hoist system master 
link, Figure 7, allowing the bucket to fall, Figure 8. The master link 
attached the lower snatchblock to the Bucket and was probably broken by 
locking up the Bucket's vertical hoisting system. The locking up resulted 
from the Bucket being raised until the telescoping tubes had reached their 
upper travel limit and were physically prevented from further motion. The 
hoist continued to drive applying an increasingly large force to the lower 
snatchblock and master link assembly causing the master link to break. An 
electrical limit switch designed to shut off power to the hoist prior to the 
tubes reaching their upper travel limit had been misadjusted and did not 
engage, Figure 9. The hoist system was designed to have redundant wire 
ropes, lower snatchblocks and master links loaded in parallel. 

An earlier failure of one of the master links had occurred at which time 
the Bucket was removed from service and "Do Not Operate" tags were attached to 
the Bucket control stations . The mishap) occurred upon failure of the second 
master link after the Bucket was tagged out. The primary cause of the 
mishap was attributed to operator error due to unauthorized use of the 
tagged out Bucket. 

Investigation by NASA, Lockheed Sp)ace Operations Co . , and a Lockheed 
Corp. protection consultant revealed many design related deficiencies with 
the OPF Bucket's hoisting and positioning mechanisms . These deficiencies 
were significant and if not corrected, would have probably lead to another 
mishap. Below is a summary of these deficiencies. 

1. The OPF Bucket system lacked a mechanical lock that would support 
the system and prevent its inadvertent use. 

2. The system lacked an operational up travel stop switch thus allowing 
the Bucket operator to use the limit switch as an the operational stop. The 
system lacked any device that would indicate a failure of the limit switch. 

3. The system was not provided with an overload protection device. 

4. Main load carrying components were inaccessible and could not be 
readily inspected. 

5. The electrical control system operated differently for the first 
production set of OPF Buckets than it did for the second production set. 

6. The design of the central station switches would cause than to stick 
in the energized position after repeated use. 

7. There were no visual aids to help the operator determine when he was 
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approaching the end of travel of the hoist system. 

8. Inadequate clearance existed between the bottom of the OPF Bucket 
and the orbiter payload bay doors when the doors were being closed. This 
required the operator to retract the Buckets until the limit switch was 
reached. 

9. The load capacity limit for the OPF Bucket was inadequate to support 
normal operations. 

10. The master link failed at less than its rated capacity. 

11. Other hoist system overload modes existed such as telescoping tubes 
which could bind then release and fall causing impact loads to the system. 
Bucket handrails could bottom out on other structures during retraction if 
the Bucket was not rotated to the proper orientation. 

12. Downward overtravel could cause the hoist wire rope to rewind in 
the opposite direction on the hoist drum and cause the hoist load brake to 
be ineffective. 

THE NEW DESIGN 


Personnel and flight vehicle safety was the primary concern in the 
redesign effort. The design changes to correct the deficiencies in the 
system were not limited solely to beefing up the failed components but 
included a wide scope of changes including: improved maintenance 
capabilities, improved operation, increased load carrying capacities, 
electrical control reliability and safety enhancements. Improvement in 
reliability and the elimination of single failure points were also main 
goals of the redesign. 

A review of OSHA and ANSI specifications revealed that there were no 
government or industrial standards for this particular type lifting 
mechanism. There were specifications for similar devices, however, such as 
exterior building maintenance platforms, typically used by painters and 
window washers for access to the outside of buildings. These specifications 
required that the platforms be maintained in a horizontal position with the 
failure of one of the hoisting ropes, that minimum safety factors of 10:1 be 
provided on the hoisting system and that the system have no single failure 
points. The new design would comply with the intent of these 
specifications . 

INTERIM CHANGES were made immediately following the mishap to prevent a 
recurrence of the failure and allow returning the Buckets to service under 
restricted use. The changes included: 

1. Redundant limit switches were installed at the upper end of the 
telescoping tubes. The switches were placed in series with the first switch 
located 45 ran below the physical upper travel limit and the second located 
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25 ran belcw the limit. The switches were also reoriented to eliminate the 
misalignment problem which contributed to the mishap. The change in 
alignment can be seen in Figures 9 & 13. 

2. Visual aid stripes were painted on the telescoping tubes. The 
stripes are visible to the operator and when aligned indicate that the 
travel limit is being approached. 

3. Inspection holes were cut in the lower end of the 250 mm telescoping 
tube allowing easy access and inspection of the master links and 
snatchblocks . 

PERMANENT MODIFICATIONS were made to the system after completion of the 
mishap investigations that were intended to correct the design deficiencies 
identified by the various mishap investigation ccmmittees. An extensive 
failure modes and effects analysis was performed which identified system 
single failure points, latent failure points and hazards which were 
corrected where possible. Latent failure points, such as a failed-closed 
upper limit switch, are failure points in redundant systems in which the 
failure would be undetectable during normal use. These points were required 
to be inspected on a periodic basis if they could not be removed by design. 

The inspection requirement assured that if any failures occurred they would 
not go long undetected. 

The importance of operator and user involvement in the redesign effort 
cannot be overemphasized. A key element in the redesign effort was the use of 
interviews by the design engineers with the Bucket operators. The operators 
knew the system well and had valuable information on hew the system should 
be configured to suit their needs. 

Inspection of the telescoping tube travel stops revealed damage caused 
by the tubes binding then working loose, f reef ailing and impacting the 
steps. Methods to individually drive each tube with jackscrews or wire 
ropes were rejected as being difficult to control and requiring too much 
space. It was decided that a method to control the fall of the tubes would 
be more practicable. The tubes if they should hang up would be allowed to 
fall but the descent velocity of the fall would be limited. 

The selection of the descent control device involved trade off studies 
of different concepts including hydraulic cylinders and centrifugal brake 
type devices. The hydraulic cylinder concept appeared initially to be the 
most promising since the descent velocity could be controlled simply by 
selecting the correct size orifice for each size telescoping tube and the 
orifice size could be varied with ease. Problems with differing hydraulic 
fluid volumes between the dewnstroke and upstroke and concerns with the 
possibility of contaminating Space Shuttle payloads with leaking hydraulic 
fluid led to the rejection of the hydraulic cylinders as decent control 
devices . 

The system finally selected was a commercial load control brake which 
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is actually a personnel escape device used by construction workers to jump 
off buildings in emergency situations. The device has an internal 
centrifugal brake that will limit angular velocity similar to the rotary 
dial in a dial type telephone forced in the counterclockwise direction. The 
load control brake is attached to the trolley chassis with an 8 mm wire rope 
routed down through a pulley on the telescoping tube, and back up to 
terminate at the trolley chassis. Figure 10. 

A load sensing device, Figures 11 & 12, was installed that would sense 
high or lew hoist loads and shut off power to the system. A load equalizing 
bar was also installed to maintain equal loading of the 10 mm wire ropes . 

The hoisting system components , Figure 11 & 13, were repositioned to 
allcw access for inspection of the wire ropes and wire rope pulleys. The 
lower snatchblock and master link assembly were eliminated. 

To prevent inadvertent operation of one Bucket by an adjacent Bucket 
operator the control system circuitry was reconfigured. The Buckets in both 
OPF high bays were made to operate identically. 

A study of the hoist revealed that the load control brake ratchet pawl 
stop, item 34 in Figure 5, a hex head screw, was located adjacent to the 
gearbox oil drain plug, item 33 in Figure 5. The two could be easily 
confused and inadvertent removal of the brake ratchet pawl stop would cause 
the brake to become nonfunctional. Labels were attached to the drain plug 
and the ratchet pawl stop bolt was sealed to the gearbox case. 

Shunt trip circuit breakers were installed and mounted in a locked 
cabinet. Once tripped the circuit breakers cannot be reset without 
unlocking the cabinet. The circuit breakers are wired to the upper limit 
switches and to the load sensing switch. A tripped circuit breaker will 
indicate that there is problem with the system and that inspection or 
repairs are required. 

Concepts are new under study to eliminate single failure points in the 
gear train of the commercial hoist. Concepts being considered are replacing 
the existing hoist with a commercial hoist that has no single failure 
points, installing a brake on the drum of the existing hoist or installing 
an inertia reel type load brake between the Bucket and the support 
structure. Control systems for telescoping tubes which could be used in 
lieu of the descent control devices are being investigated. Results of 
these studies are expected by the second or third quarter of 1988. 

TESTING 

Tests were conducted to verify that the load control brake used to 
control the descent of a falling telescoping tube would function correctly, 
and, that the hoist system components breaking strength was as assumed. 

To test the load control brakes a full scale simulator, Figure 14, was 
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built to simulate the 350 nnt telescoping tube and trolley chassis. Load 
cells were installed at the four comers of the trolley chassis, where the 
wheeled trolley units are located, to measure trolley loads and at the load 
brake wire rope termination to measure load brake loads. A linear 
transducer, "fish reel pot" was installed at the bottom of the telescoping 
tube to measure displacement and velocity. The telescoping tube was allowed 
to freefall with the load control brake connected and the loads at the 
trolley measured during impact of the tube travel stop. All load control 
brakes are qualification tested in this manner prior to installation on an 
OPF Bucket. 

A failure test of the wire rope pulleys, Figure 13, and load limiting 
switch assembly, Figure 12, was conducted to verify that the manufacturers 
rated breaking strength was valid for the configuration in which they were 
being used. The test results confirmed that the weak link in the system was 
not the wire rope, which was analyzed as the weakest element, but the 
load limiting switch. The switch failed at 95% of its rated breaking 
strength. The test did confirm that adequate safety factors were provided 
for the system. 

CONCLUSIONS 

There are many lessons to be learned from the OPF Bucket failure, the 
most important of which is that equipment can be misused and probably will 
be if it does not meet the needs of its user. Design engineers must solicit 
the opinions and needs of the people who will use and operate the mechanisms 
that they design . 

Latent failure points should be identified and dealt with, a failure in 
a redundant system that goes undetected in turn creates a single failure 
point. Often a latent failure point may be worse than a single failure 
point because it may instill a false sense of security in the system. 

The failure of the master link at less than its specified breaking 
strength is an example of a manufacturer's desire to get the most frcm his 
product. In this case the rated breaking strength was based on unpublished 
test conditions . These conditions were not only emitted frcm his catalog 
and engineering design manuals, but were not even common knowledge of his 
engineers . When critical systems are involved it pays to test the 
components to determine their limitations. 
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HOIST GEARBOX EXPLODED VIEW 
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Figure 7 


BUCKET POSITION BEFORE MISHAP 

, POSITION AFTER MISHAP 



BUCKET TRAJECTORY AT MISHAP 

Figure 8 
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LIMIT SWITCH CONFIGURATION AT TIME OF MISHAP 


Figure 9 



OPF BUCKET WITH LOAD CONTROL BRAKE 


Figure 10 









